Ειδοποιήσεις

A malicious Chrome and Edge Browser Extension delivers powerful backdoor to stealing information from the browsers and monitor the victim’s activities.

A downloader that delivers the malware payload that contains Revisit remote administration tool along with a backdoor extension to hijack the infected system.

The two payloads are apparently distributing from a group of Malware authors called Moldova who is delivering this backdoor and RAT via malicious attachments contains spam emails.

Previously Various malware attacks that were targeted to legitimate remote access tools likewise TeamSpy malware that abuses TeamViewer to take over affected systems remotely which is not a new method.

But attacker still abusing the legitimate windows tools and open source tools such as Chrome WebDriver and Microsoft WebDriver.

 

How Does This Backdoor Works?

This malware using various social engineering technique in an email along with an attachment that contains embedded document malicious macro which is heavily obfuscated.

Once the malicious dropper executed a JavaScript file that has packed with ZIP archive which contains two kinds of payloads- one based on Java and another based on NodeJS.

NodeJS payload packed with ZIP archive that contains several files. once the users enable the macro then it executes the node.exe install.js which contains installation script to check the administrator rights and the groups to confirm the user.

later it calls install.vbs to escalate the privilege and add new firewall rules to enable traffic between the remote access tool it will install.

According to researches, “It establishes persistence by adding shortcut (LNK) files in the Startup folder. install_do.js will also install a browser extension to the system’s browser extension directory and creates a timestamp.dat file.”

NodeJS extension leads to execute the remote access tool and kill the currently opened web browser via taskkill /IM <filename> then executes a certain revisit 0.63 application which is legitimate and signed remote access tool.

Later all the stolen documents are uploaded from remote access tool to the command-and-control (C&C) server. Attackers will now see the machine ID and password, allowing them to connect to the victim’s machine remotely and gain full control over it.

 

Browser Extension Backdoor

Once the NodeJS and Java modules detect Chrome and Edge Browser open then it will kill the original browser extension and create another one and it will load the malicious extension in the new process.

Later it disables security checks and proceeds to load the malicious extension and the researchers found this malicious extension in Chrome but they confirm that the extension comfortable with Edge.

“This compatibility was a feature introduced by Microsoft last year to help developers port their Chrome extensions to Edge. Selenium is also used to load the extension into Edge.”

The loaded malicious extension designed as a backdoor and it will keep collecting the users opening webpage and URL and send it to the attacker via C&C server.

The extension can also sniff certain actions including clicking buttons, selecting items from a drop-down list, and typing any value into a form inside the webpage. Researches said.

 

The information contained in this website is for general information purposes only. The information is gathered from GB Hackers while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

Overview

Some platforms with integrated GPUs, such as smartphones, may allow both side-channel and rowhammer attacks via WebGL, which may allow a remote attacker to compromise the browser on an affected platform. An attack technique that leverages these vulnerabilities is called “GLitch.”

Description

An academic paper describes an attack called “GLitch,” which leverages two different techniques to achieve a compromise of a web browser using WebGL. The attack is only feasible on platforms where the CPU and GPU share the same memory, such as a smartphone or similar device. The two components of the attack are:

  1. A Side-channel attack to determine physical memory layout
  2. A Rowhammer attack to flip the value of one or more bits in physical memory

 

The Side-channel Attack

The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses. This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions are used in a number of microarchitectural attacks, such as rowhammer.

 

The Rowhammer Attack

The rowhammer attack targets the design of DRAM memory. On a system where the DRAM is insufficiently refreshed, targeted operations on a row of DRAM memory may be able to influence the memory values on neighboring rows. Protections against the rowhammer attack include the use of ECC DRAM, as well as increased refresh rates. The LPDDR4 mobile memory standard also has optional hardware support for target row refresh, which can mitigate the rowhammer attack.

 

Combining the Attacks with WebGL

The GLitch attack leverages both a side-channel attack to determine contiguous memory, as well as rowhammer. With the knowledge of contiguous memory, an attacker may be able to determine relative physical addresses. This knowledge of relative physical addresses can let the attacker know what memory locations to target with the rowhammer attack. The use of WebGL with precise timers is important in the GLitch attack for these reasons:

Precise WebGL timers allow a side-channel to leak memory addresses.

GPU capabilities exposed via WebGL allow for fast double-sided DRAM access, enabling the rowhammer attack.

The impact of combining both the side-channel attack and rowhammer attack has been demonstrated to bypass the Firefox sandbox on the Android platform.

GLitch Success Rates in Testing

It is important to realize that the GLitch attack has only successfully been demonstrated on the Nexus 5 phone, which was released in 2013. The Nexus 5 phone received its last software security update in October, 2015, and is therefore an already unsafe device to use. Several other phones released in 2013 were tested, but were not able to successfully be attacked with the GLitch attack. Success rates on phones newer than 2013 models were not provided. Non-Android devices were not tested as well.

Impact

Upon visiting a malicious or compromised website with a vulnerable device, an attacker may be able to bypass security features provided by the web browser.

Solution

Apply an update.

Google Chrome and Mozilla Firefox have released updates which disable high precision timers in the browser. Other browsers do not appear to be affected.

Vendor Information

 

CVSS Metrics (Learn More)

Group Score Vector
Base 4.0 AV:N/AC:H/Au:N/C:P/I:P/A:N
Temporal 3.6 E:F/RL:W/RC:C
Environmental 2.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

 

Other Information

  • CVE IDs: CVE-2018-10229
  • Date Public:03 May 2018
  • Date First Published:03 May 2018
  • Date Last Updated:03 May 2018
  • Document Revision:45

 

The information contained in this website is for general information purposes only. The information is gathered from CERT.ORG while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Newly discovered BlackRouter ransomware propagating thorough Well-known remote desktop tool called AnyDesk along with malicious Payload.

AnyDesk is widely used Remote Desktop Tool similar to Teamviewer that capable of bidirectional remote control between different desktop operating systems, including Windows, macOS, Linux and FreeBSD, as well as unidirectional access on Android and iOS.

Cybercriminals abusing AnyDesk to distribute the new BlackRouter ransomware with the AnyDesk tool package bundle to infiltrate the victim’s system.

BlackRouter Ransomware bundle with legitimate tool might the technique that attackers used to evade the security software detection.

 

BlackRouter ransomware Infection Process

Initial propagation starts from victims who have been downloaded this ransomware unknowingly from the various malicious website or compromised sites that turned into a malware distribution medium.

Later ransomware dropped two different files into victims’ computer and execute it to perform the further malicious process.

%User Temp%\ANYDESK.exe

%User Temp%\BLACKROUTER.exe

  1. First file contains AnyDesk that can perform file transfers, provide a client to client chat and can also log sessions. in this case, attackers using an old version of AnyDesk not a new version.
  2. Second file referred to the actual BlackRouter ransomware to encrypt the infected system files that encrypt different type of extension such as .gif, .mp4, .pdf, .xls etc.

 

During the infection process, AnyDesk will start running in the affected system’s background and BlackRouter ransomware searches the files in following folders and encrypt all the files.

%Desktop%

%Application Data%

%AppDataLocal%

%Program Data%

%User Profile%

%System Root%\Users\All Users

%System Root%\Users\Default

%System Root%\Users\Public

All Drives except for %System Root%

 

After it completes the encryption process, it displays the ransom notes that contain the detailed information about what just could happen within the infected computer.

It demands to pay $50 in bitcoin to provide an access to the locked files. and it’s says, once victims paid the ransom amount then they will receive the decryption key via Telegram.

Also, it warned victims not to shut down the computer and if they do that then all the encrypted files will be locked forever.

Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools.

 

The information contained in this website is for general information purposes only. The information is gathered from Brica while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The Possible MALWARE or SPYWARE Download Tech Support Scam is a common browser based scam that tries to trick people into thinking that their computer is infected and that a live support person is trying to help them. This fake support person then prompts you to call a listed phone number to receive support. If you see the screen below, do not panic and do not call the number as this is just a scam.

 

When the “Possible MALWARE or SPYWARE Download” Tech Support Scam is displayed in your browser it will contain text similar to the following:

 

Dear ISP Customer,

We have noticed excessive Possible MALWARE or SPYWARE Download on your Windows computer!

It could be because of a possible MALWARE or SPYWARE download.

CALL CERTIFIED MICROSOFT SUPPORT: 1 (833) 880-0974 (TOLL FREE) NOW

I see you might be getting a lot of Popup Advertisements and your PC might be running slow. Do you have an updated Anti-virus Security and System Drivers?

Hi, my name is Jackie. I am Chat Support agent for your Unknown OS Platform Computer.

I’m here to help but I highly recommend you call our toll-free support line (1 (833) 880-0974: and refer Case ID: CFIW4300-y8rsf1), so we can better assist you.

I’m still here to help if you need me, but I will have to disconnect soon. Can I help with anything?

Did you get your PC Diagnosed?
Contact Support at 1 (833) 880-0974 (Toll Free) if you haven’t already before navigating away.

 

Unfortunately, browser based tech support screens make it difficult to close the screen or sometimes even the browser itself. Thankfully, almost all browser based tech support scams can be closed by opening Windows Task Manager and ending the browser process. It is important, though, that if you end the browser process that you do not reopen previously closed sites if prompted by the browser when you start it again.

Finally, while standard site advertisements may display browser tech support scams, they are also commonly used by adware programs. Therefore, if you are constantly seeing browser based tech support scams, you should perform a scan of your computer for adware.

The Possible MALWARE or SPYWARE Download Tech Support Scam is shown through advertisements that redirect you to sites that display this scam. These advertisements can be displayed by installed adware programs or through less than reputable sites that are displaying them to generate advertising revenue.

For the most part, if you see a browser based tech support scam, then you can simply close the browser and start it again. On the other hand, if you are continuously seeing scams like the “Possible MALWARE or SPYWARE Download” scam, then you should scan your computer for adware and remove anything that is found.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

CVE No: CVE-2018-1035
Modification History: April 18 2018
Vendor Base Score (Microsoft): 5.3
Vendor Vector (Microsoft): CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
Risk Level: High
Product Affected: Windows 10 Version 1709 for 32-bit Systems, Windows 10 Version 1709 for 64-based Systems, Windows Server, version 1709

 

Description:

A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine.

Solution:

Apply Microsoft’s security updates

 

The information contained in this website is for general information purposes only. The information is gathered from VULDB and Microsoft Security Guidance while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.